Labels

Saturday, March 17, 2012

Detailed logging for chrooted sftp users

At work we have been migrating some of our customers from ftp to sftp. This gives us and the customer better security but one drawback with my initial sftp setup was that we didn't have detailed logs like most ftp servers produce. All we were getting in the logs were records of logins and disconnects. We didn't have any information on what a client was doing once they were connected. Things like file uploads, file downloads, etc. I had some time this morning to take a look at this. I started with doing some google searches for 'sftp logging'.

I found a lot of blog posts saying that all you had to do was change this line in sshd_config:

ForceCommand internal-sftp

to:

ForceCommand internal-sftp -l VERBOSE

I tried this but didn't get any additional logging. What I finally figured out is that the logging setup for chrooted sftp is a bit more involved. I ran across this blog which spells out what needs to be done quite clearly. The meat of the problem is that the chrooted sftp process can't open /dev/log because it is not within the chrooted filesystem. An additional layer of complexity is that my sftp home directories exist on an NFS mount. Here are the steps from bigmite.com's blog that I used for my CentOS system.

If the users sftp directory is not on the root filesystem syslog will need to use an additonal logging socket within the users filesystem. For example /sftp is the seperate sftp filesystem (like my setup with the sftp home directories on an NFS mount). For syslog on Redhat/CentOS edit /etc/sysconfig/syslog so that the line:

SYSLOGD_OPTIONS="-m 0"

reads:

SYSLOGD_OPTIONS="-m 0 -a /sftp/sftp.log.socket"

To log the sftp information to a separate file the syslog daemon needs to be told to log messages for LOCAL6 to /var/log/sftp.log. Add the following to /etc/syslog.conf:

#For SFTP logginglocal6.* /var/log/sftp.log

Restart syslog with the command service syslog restart. When syslog starts up it will create the sftp.log.socket file.

3. Create links to the log socket
Now you will need to create a link in each users chrooted home directory so the chrooted sftp process can write to the log. This will also need to be done everytime you create a new user.

"ln /sftp/sftp.log.socket /sftp/testuser1/dev/log" does not seem to work on SLES 11 SP2, even if adding both socket and link into the apprmor settings (/etc/apparmor.d/sbin.syslog-ng). I add to specify the user's /dev/log socket... so it sounds like you must modify syslog-ng settings (and restart it) each time you add a user.

Specifically this only works as is if the chroot is on the root filesystem. If not you will get an error "invalid cross-device link" as you cannot hard link across filesystems.

The other comments are absolutely correct on the right way to solve this. One could also bind mount dev to the new location, but since that would expose all of your device nodes, it isn't anything I would recommend.

I believe that Stephen Carptenter's comment/concern about the chroot needing to be being on the root filesystem, due to the hardlink, is incorrect. Step 2 above has you create a new socket on the same file system where chroot resides. Then you link from the new socket to the individual users' chroot locations. That link will NOT cross file systems, because you are not linking the original /dev/log socket to the new filesystem. You are linking the new socket (/sftp/sftp.log.socket) to locations in it's same file system.

Maybe the original blog did not contain this info, but was modified after Stephen's comments were added?